Replace capability dictionary with str.lower()

The "cap" dictionary didn't bring any value and needed to be updated with new capabilities. Fixes: Udica fails when container info contains CAP_PERFMON Couldn't create policy: 'PERFMON' Error: Process completed with exit code 4. #88 Signed-off-by: Vit Mojzis <[email protected]>
containers · Jul 8, 2021 · 6e74f83 · 6e74f83
1 parent 2233112
commit 6e74f83
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 43 deletions.
diff --git a/udica/perms.py b/udica/perms.py
@@ -13,47 +13,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-cap = {
-    "CHOWN": "chown ",
-    "DAC_OVERRIDE": "dac_override ",
-    "DAC_READ_SEARCH": "dac_read_search ",
-    "FOWNER": "fowner ",
-    "FSETID": "fsetid ",
-    "KILL": "kill ",
-    "SETGID": "setgid ",
-    "SETUID": "setuid ",
-    "SETPCAP": "setpcap ",
-    "LINUX_IMMUTABLE": "linux_immutable ",
-    "NET_BIND_SERVICE": "net_bind_service ",
-    "NET_BROADCAST": "net_broadcast ",
-    "NET_ADMIN": "net_admin ",
-    "NET_RAW": "net_raw ",
-    "IPC_LOCK": "ipc_lock ",
-    "IPC_OWNER": "ipc_owner ",
-    "SYS_MODULE": "sys_module ",
-    "SYS_RAWIO": "sys_rawio ",
-    "SYS_CHROOT": "sys_chroot ",
-    "SYS_PTRACE": "sys_ptrace ",
-    "SYS_PACCT": "sys_pacct ",
-    "SYS_ADMIN": "sys_admin ",
-    "SYS_BOOT": "sys_boot ",
-    "SYS_NICE": "sys_nice ",
-    "SYS_RESOURCE": "sys_resource ",
-    "SYS_TIME": "sys_time ",
-    "SYS_TTY_CONFIG": "sys_tty_config ",
-    "MKNOD": "mknod ",
-    "LEASE": "lease ",
-    "AUDIT_WRITE": "audit_write ",
-    "AUDIT_CONTROL": "audit_control ",
-    "SETFCAP": "setfcap ",
-    "MAC_OVERRIDE": "mac_override ",
-    "MAC_ADMIN": "mac_admin ",
-    "SYSLOG": "syslog ",
-    "WAKE_ALARM": "wake_alarm ",
-    "BLOCK_SUSPEND": "block_suspend ",
-    "AUDIT_READ": "audit_read ",
-}
-
 perm = {
     "devrw": "getattr read write append ioctl lock open",
     "drw": "add_name create getattr ioctl lock open read remove_name rmdir search setattr write",

diff --git a/udica/policy.py b/udica/policy.py
@@ -141,9 +141,9 @@ def create_policy(
         for item in capabilities:
             # Capabilities parsed from podman inspection JSON file have prefix "CAP_", this should be removed
             if "CAP_" in item:
-                caps = caps + perms.cap[item[4:]]
+                caps = caps + item[4:].lower() + " "
             else:
-                caps = caps + perms.cap[item]
+                caps = caps + item.lower() + " "
 
         policy.write("    (allow process process ( capability ( " + caps + "))) \n")
         policy.write("\n")